How the packet travels?
Paul Rusty Russell
Tue, 28 Sep 1999 13:56:29 +0930
In message <Pine.LNX.email@example.com> you wr
[ snip massive ASCII art ]
> The biggest difference is that INPUT chains NOW *behind* "routing
> So what is the real path of packet?
Rusty reading netfilter:
/ / \ \
/ o o \
\ .____, /
My ASCII art sucks, I know. Perhaps I should try a different form of
When a packet on a network
Enters Linux from a NIC,
Or PPP, ISDN,
Or even via SL/IP,
It goes right into net_bh,
Which sees it is IP,
And hands it via ptype->func()
To old ip_rcv(). [pron: `EYE-PEE receive']
This calls the PRE_ROUTING hook,
Where ipfwadm was, [pron: `EYE-PEE-FWADM']
And ipchains lived here as well,
But not iptables, 'cause...
PRE_ROUTING is for NAT NAT NAT,
Redirection and so on,
Inadaquate for filtering,
So iptables is gone...
To LOCAL_IN, the one true hook,
Where filtering ought to be,
Because we know this very box,
Is its destiny.
On the way out, it's just the same,
'Cause filtering now takes place
As local packets leave the box,
In LOCAL_OUT, with grace.
But what, you ask, are we to do
About packets passing through?
Where should we now filter them
Please give us this one clue?
Not in PRE_ROUTING nor in POST,
We don't need three ways here,
The one true place to filter these,
Is the FORWARD hook, it's clear.
The FORWARD hook is just the same,
But we've added just one thing,
You get incoming interface,
As well as outgoing.
iptables is so cool,
It makes my packets sing,
That Rusty he is one hot coder,
OOPS: my box is crashing...